|
|
|
|
|
|
by jacquesm
3943 days ago
|
|
|
HN uses x-frame-options:"DENY" to good effect which takes care of a fair number of click-jack tricks, it also uses strict-transport-security. But there is only so much you can do with headers, the real risks are in the documents themselves. How about a <nojs> </nojs> pair in the primary document disabling any kind of javascript execution in the space between the tags. And those tags should only work in the primary document. |
|
|
But wouldn't folks still be able to inject scripts by just writing `</nojs><script>alert('hi')</script><nojs>`?